Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
411412413414415416417418419420
407
12BConfiguring DVPN
The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices.
DVPN can be configured only at the CLI.
85B
Feature and hardware compatibility
Hardware DVPN
com
p
atible
F1000-A-EI/F1000-S-EI No
F1000-E Yes
F5000 Yes
Firewall module Yes
U200-A No
U200-S No
86B
Overview
DVPN enables enterprise branches that use dynamic public addresses to establish a VPN network. It uses
the VPN Address Management (VAM) protocol to collect, maintain, and distribute dynamic public
addresses.
In DVPN, a collection of nodes connected to the public network form a VPN. From the perspective of
DVPN, the public network is the link layer of the VPN, and the tunnels between VPN nodes constitute the
network layer. Branch devices dynamically access the public network. DVPN can get the public IP
addresses of the peers through VAM to set up secure internal tunnels conveniently.
When a DVPN device forwards a packet from a user subnet to another, it performs these operations:
1. Gets the next hop on the private network through a routing protocol.
2. Gets the public network address of the next hop through the VAM protocol.
3. Encapsulates the packet, using the public address as the destination address of the tunnel.
4. Sends the packet along the tunnel to the destination.
296BBasic concepts
The following key roles are involved in DVPN:
DVPN node—A DVPN node is a device at an end of a DVPN tunnel. It can be a networking device
or a host. A DVPN node takes part in tunnel setup and must implement the VAM client.
VAM server—A VAM server receives registration information from DVPN nodes and manages and
maintains information about DVPN clients. A VAM server is usually a high performance routing
device with VAM server enabled.
VAM client—A VAM client registers its private address and public address with the VAM server and
obtains information about other VAM clients from the VAM server. The VAM client function must be